darkvision | 30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff

General

Target

30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe
Size

1.0MB
MD5

148763f489be6f80e66dde9bf907aa4e
SHA1

ef45b99fb1b05ca3718e258e2814172a0ec2955c
SHA256

30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff
SHA512

c4809295af24e18978b0a1fe177cacc4c37676bfc9449c40c376aa740a6b9be963831706f1f3e529e87a1403976a296dffab0c70514b66bfcd756333820e01bb
SSDEEP

12288:pIfbwPDpwTkiC2X8anaAZqlJCj6D2fJZSj+2O+AJzRhM:pIfbbbXnbZiK2O+AJzRhM

Score

10^/10

darkvision discovery persistence rat

Malware Config

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Blocklisted process makes network request 14 IoCs

flow	pid	Process
24	4572	cmd.exe
29	4572	cmd.exe
33	4572	cmd.exe
51	4572	cmd.exe
54	4572	cmd.exe
57	4572	cmd.exe
58	4572	cmd.exe
60	4572	cmd.exe
63	4572	cmd.exe
66	4572	cmd.exe
67	4572	cmd.exe
68	4572	cmd.exe
69	4572	cmd.exe
70	4572	cmd.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
50	1628	Process not Found

Deletes itself 1 IoCs

pid	Process
4572	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\ProgramData\\popi\\popi.exe {8B968540-222E-4DC3-94D3-2DB22B55DD58}"	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4088	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4152	30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe
4152	30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe
4152	30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe
4152	30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe
4572	cmd.exe
4572	cmd.exe
4572	cmd.exe
4572	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4152	30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe
4152	30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe
4152	30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe
Token: SeDebugPrivilege	4572	cmd.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 4572	4152	30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe	87
PID 4152 wrote to memory of 4572	4152	30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe	87

C:\Users\Admin\AppData\Local\Temp\30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe
"C:\Users\Admin\AppData\Local\Temp\30dc2d8761e9bbd836e9ecbff8ce5a11e7bba4b76d4e6d74db3b69b4716b67ff.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Blocklisted process makes network request
  - Deletes itself
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDlGMjVBRjgtNTY1RC00NDY1LTgxMUEtNDMxRTVBQTREQzNBfSIgdXNlcmlkPSJ7NEIyRThCODQtRTc2Ny00NzlGLTk0QjgtMzBFRUJEMDYzQTg5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzQxNjZDOEYtNkU2Qy00NzVBLThGNzItMEMyQjVGRTZDNzQzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDQ1MTY3NzUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4152-0-0x0000000140000000-0x000000014006F000-memory.dmp

Filesize
444KB

Download
memory/4152-1-0x0000000140000000-0x000000014006F000-memory.dmp

Filesize
444KB

Download
memory/4152-30-0x0000000140000000-0x000000014006F000-memory.dmp

Filesize
444KB

Download
memory/4152-29-0x00007FF73CF00000-0x00007FF73CFBB000-memory.dmp

Filesize
748KB

Download
memory/4572-2-0x0000027EC8F70000-0x0000027EC8F71000-memory.dmp

Filesize
4KB

Download
memory/4572-3-0x0000027ECAB10000-0x0000027ECABCB000-memory.dmp

Filesize
748KB

Download
memory/4572-25-0x0000000140000000-0x000000014006F000-memory.dmp

Filesize
444KB

Download
memory/4572-27-0x0000000140000000-0x000000014006F000-memory.dmp

Filesize
444KB

Download
memory/4572-26-0x0000000140000000-0x000000014006F000-memory.dmp

Filesize
444KB

Download
memory/4572-28-0x0000000140000000-0x000000014006F000-memory.dmp

Filesize
444KB

Download
memory/4572-31-0x0000027EC8F70000-0x0000027EC8F71000-memory.dmp

Filesize
4KB

Download
memory/4572-32-0x0000000140000000-0x000000014006F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads